GDPR for HR Coffee Break | May 2026
Published on 11th May 2026
Holiday pay records, security duty, and refusing abusive DSARs
At a glance
Since 6 April 2026, employers face criminal liability and six-year enforcement exposure for inadequate holiday pay records.
An ICO fine and a Court of Appeal ruling clarify controller obligations on security and data minimisation in practice.
A CJEU ruling opens narrow grounds to refuse opportunistic DSARs, but the evidential burden lies firmly with the controller.
Holiday pay records: new statutory obligations from April 2026
Since 6 April 2026, employers must keep records for all workers covering holiday entitlement, holiday taken, carry-over, holiday pay (including calculation breakdowns and variable pay components), and payments in lieu of untaken holiday. Records may be kept in any format and must be retained for at least six years.
While good record-keeping has always been best practice, the new rules carry serious consequences: inadequate records are a criminal offence carrying unlimited fines, and the newly created Fair Work Agency can investigate underpayments going back six years.
What should employers do?
- Audit HR and payroll systems to confirm adequate details are being captured for all workers.
- Update software to record required calculation methods, supplementing with manual logs where necessary.
- Review retention policies to ensure records are kept for at least six, or ideally seven, years, with clear procedures for secure storage and deletion.
- Train HR, payroll, and line management teams on the new obligations and consequences of non-compliance.
Police Scotland fined £66,000 for failing to protect sensitive personal data
The Information Commissioner's Office (ICO) has fined Police Scotland £66,000 and issued a formal reprimand after the force extracted the full contents of a victim's mobile phone without adequate controls, then included largely irrelevant, unredacted data in a misconduct disclosure bundle shared with an unauthorised third party.
This is a timely reminder (particularly for those conducting employment investigations) that robust data protection frameworks must be in place not just in policy, but in practice.
What does this mean for employers?
- Ensure adequate technical and organisational safeguards are in place to protect personal data.
- Limit processing and sharing of personal data to what is strictly necessary for the relevant purpose.
- Provide staff with clear guidance on handling sensitive information.
- Understand and comply with ICO breach notification requirements, including applicable timeframes.
For more on this, see this Regulatory Outlook.
Court of Appeal confirms the security duty is assessed from the data controller's perspective
In February 2026, the Court of Appeal upheld the ICO's £500,000 fine against DSG Retail Limited (Currys PC World) following a 2017-2018 cyber-attack in which hackers scraped payment card data from at least 14 million individuals.
DSG argued it had no obligation to protect data that attackers could not use to identify individuals. The court rejected this, confirming that the security and data minimisation duty in investigations is assessed from the data controller's perspective, not the attacker's.
What does this mean for employers?
- Assess security obligations from your own perspective as data controller — not from that of a potential attacker.
- Implement robust security measures across all personal data held, including partial or incomplete data sets.
- Do not assume data that would be non-identifiable in a third party's hands falls outside your security obligations.
- Review existing security frameworks to ensure they are sufficiently broad in scope.
For more, see this Regulatory Outlook.
Ruling on refusing abusive DSARs
In March 2026, the Court of Justice of the EU (CJEU) considered a German case (Brillen Rottler GmbH & Co. KG v TC) involving an individual who subscribed to an optician's newsletter and, just 13 days later, submitted a data subject access request (DSAR).
When the company refused on the basis of abusive intent, the individual claimed €1,000 in compensation. The German court referred two questions to the CJEU: (1) whether a first DSAR can be "excessive"; and (2) whether a data subject can claim compensation for an unlawful refusal. Although not binding on UK courts, CJEU decisions are persuasive.
The CJEU clarified the following:
- A first DSAR can be refused as "excessive", but only in exceptional circumstances where the controller can demonstrate abusive intent: for example, that the request was designed to engineer a compensation claim rather than to verify the lawfulness of processing. The burden of proof lies with the controller.
- Publicly available evidence of a data subject submitting multiple DSARs and compensation claims against different controllers may be relied upon to establish abusive intent.
- Wrongful refusal of a DSAR can give rise to compensation under Article 82(1) GDPR, with no requirement to show that the underlying processing was unlawful.
- Non-material damage (such as loss of control over personal data or uncertainty about processing) may be compensable, but claimants must demonstrate actual harm; a mere allegation of fear or uncertainty is insufficient.
What does this mean for employers?
- Controllers have a narrow but usable basis to refuse opportunistic DSARs where well-documented evidence of abusive intent exists.
- Consider developing a checklist of the evidence to gather where abuse is suspected.
- Even where refusal is being considered, the one-month response window still applies and should not be overlooked.
For more on the case, see also this Regulatory Outlook.
